As remote access of computer systems and applications grows in popularity, the number and variety of transactions which are accessed remotely over public networks such as the Internet has increased dramatically. This popularity has underlined a need for security; in particular: how to ensure that people who are remotely accessing an application are who they claim they are, how to ensure that transactions being conducted remotely are initiated by legitimate individuals, and how to ensure that transaction data has not been altered before being received at an application server.
One solution to secure the interaction of users with computer based applications is the usage of hardware strong authentication tokens for generating one-time passwords (OTP) and/or electronic signatures.
Hardware strong authentication tokens are dedicated devices that only serve to generate OTPs and/or electronic signatures using a cryptographic algorithm that is parameterized with a secret cryptographic key. While the algorithm of tokens belonging to different users is often the same for a large number of tokens, the secret cryptographic key that is used by a particular token associated with a particular user will typically be different from the secret keys used by other tokens that are associated with other users to ensure that different tokens (associated with different users) will generate different OTPs and different electronic signatures. In other words, even if many tokens may be adapted to offer the same functionality using the same algorithm, each token is usually personalized with at least a different secret key value that parameterizes the algorithm for generating OTPs and/or electronic signatures, and whereby different users may be associated with different values of the secret key.
Users have to make sure that they have their token with them wherever they happen to be when they want to access the application. In some cases users may perceive this as inconvenient. One possible alternative for dedicated hardware tokens is the usage of software tokens. Software tokens, or “soft tokens”, are software applications that are capable of emulating the functionality of hardware strong authentication tokens (i.e. the generation of OTPs and electronic signatures). Soft tokens typically run on a personal computing device that belongs to a user and that is capable of running various software applications. Usually these computing devices are not dedicated to one single particular computing task but may comprise a general purpose computing platform that may be adapted to receive extra software applications in the course of their life cycle depending on the needs of the user. Smartphones are examples of personal computing devices upon which software tokens can be installed and that users generally tend to have with them at all times. Tablet computers may be another example of personal computing devices upon which software tokens may be installed.
Since a software token is a piece of software that runs on a general purpose computing device, it is a challenge to personalize a software token installed on a personal computing device of a given user i.e. to provide the software token with a set of data (including for example the secret key that the software token will use for cryptographically generating credentials on behalf of the user) having values that are specific for that individual software token instance and that may be associated with the intended user of the software token.
Software tokens and hardware tokens may in this description be collectively referred to as authentication tokens.
What is needed is a secure yet convenient solution for the personalization of a software token.